CVE-2022-39346: Missing length validation of user displayname in nextcloud server
First published: Fri Nov 25 2022(Updated: )
Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Enterprise Server | <22.2.10 | |
| Nextcloud Nextcloud Enterprise Server | >=23.0.0<23.0.7 | |
| Nextcloud Nextcloud Enterprise Server | >=24.0.0<24.0.3 | |
| Nextcloud Nextcloud Server | <22.2.10 | |
| Nextcloud Nextcloud Server | >=23.0.0<23.0.7 | |
| Nextcloud Nextcloud Server | >=24.0.0<24.0.3 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6w9f-jgjx-4vj6
- https://github.com/nextcloud/server/pull/33052
- https://hackerone.com/reports/1588562
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42TARDPRPBTI5TJRBYRVVQGTL6KWRCV5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R32L3P53AQKQQC652LA5U3AWFTZKPDK3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRAER4DCCHHSUDFHQ6LTIH4JEJFF73IU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TARDPRPBTI5TJRBYRVVQGTL6KWRCV5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRAER4DCCHHSUDFHQ6LTIH4JEJFF73IU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R32L3P53AQKQQC652LA5U3AWFTZKPDK3/
Frequently Asked Questions
What is CVE-2022-39346?
CVE-2022-39346 is a vulnerability in Nextcloud server that could allow a malicious user to cause a denial of service by overloading the database.
How can this vulnerability be exploited?
This vulnerability can be exploited by a malicious user who can create user display names that overload the backing database, leading to a denial of service.
What versions of Nextcloud server are affected?
Versions up to and including 22.2.10 of Nextcloud Enterprise Server and Nextcloud Server are affected. Additionally, versions between 23.0.0 and 23.0.7, and versions between 24.0.0 and 24.0.3 of Nextcloud Enterprise Server and Nextcloud Server are also affected.
What is the severity of CVE-2022-39346?
The severity of CVE-2022-39346 is medium, with a CVSS score of 6.5.
How can I fix this vulnerability?
To fix this vulnerability, it is recommended to upgrade Nextcloud Server to version 22.2.11 or later.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/references
- agent/title
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/nextcloud
- canonical/nextcloud nextcloud enterprise server
- version/nextcloud nextcloud enterprise server/23.0.0
- version/nextcloud nextcloud enterprise server/24.0.0
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/23.0.0
- version/nextcloud nextcloud server/24.0.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37